The ESXi host Secure Shell (SSH) daemon must not permit tunnels.

An XCCDF Rule

Description

<VulnDiscussion>OpenSSH has the ability to create network tunnels (layer 2 and layer 3) over an SSH connection. This function can provide similar convenience to a virtual private network (VPN) with the similar risk of providing a path to circumvent firewalls and network Access Control Lists (ACLs).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-258764r933353_rule
Severity: Medium
References: CCI-000366
Updated: 9 months ago

From an ESXi shell, run the following command:

# esxcli system ssh server config set -k permittunnel -v no

or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$esxcli = Get-EsxCli -v2
$arguments = $esxcli.system.ssh.server.config.set.CreateArgs()
$arguments.keyword = 'permittunnel'
$arguments.value = 'no'
$esxcli.system.ssh.server.config.set.Invoke($arguments)

The ESXi host Secure Shell (SSH) daemon must not permit tunnels.

Description

Remediation - Manual Procedure